Re: [SRM] stable/oldstable uploads for vftool CVE-2011-0433

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Mon, 2011-07-04 at 21:13 +0100, Jonathan Wiltshire wrote:
> I recently uploaded an NMU for vftool to fix CVE-2011-0433 in sid
> (bug #614669). At the time I notified the maintainer that I would perform
> uploads for stable and oldstable and I have not had any response, therefore
> the stable patch is attached.
>
> Stable is easy: the same version is present, so the patch is just the same
> as for unstable.

Thanks for this.  I assume the stable upload would be 2.0alpha-4
+squeeze1 or similar?  (Or 2.0alpha-4.1~squeeze1 would work, I suppose).

> In oldstable, you have a choice of whether to include the changes in -4 or
> not. They fix a FTBFS (which I could not reproduce in a lenny chroot) but
> are not strictly necessary to fix the CVE. I will prepare uploads
> according to your preference.

The FTBFS would only occur if the lenny version were built with
_GNU_SOURCE defined (which it obviously wasn't, given that it built to
start with); only later versions of (e)glibc unconditionally define
getline().  On that basis, please only include the security-related
changes for oldstable.

Regards,

Adam